p0f v3 (version 3.08b)

1. What's this?

P0f is a tool that utilizes an array of sophisticated, purely passive traffic
fingerprinting mechanisms to identify the players behind any incidental TCP/IP
communications (often as little as a single normal SYN) without interfering in
any way. Version 3 is a complete rewrite of the original codebase, incorporating a significant
number of improvements to network-level fingerprinting, and introducing the ability to reason
about application-level payloads (e.g., HTTP).

Some of p0f's capabilities include:

Highly scalable and extremely fast identification of the operating system
and software on both endpoints of a vanilla TCP connection - especially in
settings where NMap probes are blocked, too slow, unreliable, or would
simply set off alarms.

Fun fact: The idea for p0f dates back to
June 10, 2000. Today,
almost all applications that do passive OS fingerprinting either simply reuse p0f
for TCP-level checks (Ettercap, Disco, PRADS, Satori), or use inferior approaches that,
for example, pay no attention to the intricate relationship between host's
window size and MTU (SinFP).

3. Can I have it?

Yup: click here to download the current release (3.08b), or here to browse
older releases, including 2.0.x and 1.8.x.

Please keep in mind that p0f v3 is a complete rewrite of the original tool, including a brand new database of signatures. We are starting
from scratch, so especially for the first few releases, please be sure to submit new signatures and report bugs with special zeal! I am particularly
interested in:

TCP SYN ("who is connecting to me?") signatures for a variety of systems - especially from some of the older, more exotic, or more specialized platforms,
such as Windows 9x, NetBSD, IRIX, Playstation, Cisco IOS, etc. To do this, you simply need to attempt establishing a connection to a box running p0f.
The connection does not need to succeed.

TCP SYN+ACK signatures ("who am I connecting to?"). The current database is minimal, so all contributions are welcome. To collect these signatures, you
need to compile the supplied p0f-sendsyn tool, and then use it to initiate a connection to an open port on a remote host; see
README for more.

HTTP request signatures - especially for older or more exotic browsers (e.g. MSIE5, mobile devices, gaming consoles), crawlers, command-line tools, and
libraries. To collect a signature, you can run p0f on the client system itself, or on the web server it talks to.

HTTP response signatures. P0f ships with a minimal database here (only Apache 2.x has any real coverage). Signatures are best collected for three
separate cases: several minutes of casual browsing with a modern browser; a request with curl; and another one with wget.

4. Just show me how it works, OK?

Not all capabilities of p0f can be showcased here, and as noted, this release candidate still has a relatively small database of fingerprints. That said,
here's the most recent positive match p0f has for your IP:

Detected OS = unknown
HTTP client = unknown
Network link = Ethernet or modem
Distance = 19
Language = English
Note that the result may be affected by transparent proxies set up by your ISP or your employer,
and so on. Especially if you are seeing a dramatic mismatch (e.g. Windows misidentified as Linux), it's fairly unlikely
that p0f is wrong. Cellular operators are particularly notorious for intercepting traffic.

Okay, now here's your chance to do a good deed. If some of that information is incorrect, or if p0f simply
could not identify you at all, please complete this short questionnaire: